At the Vista kickoff, Steve Ballmer was asked, "How important is BitLocker?" In his typical booming response, Ballmer said, "hugely important." For those of you that don't know, BitLocker is Vista's tool for whole disk encryption. It was created as a direct response to the plethora of lost data resulting from lost or stolen laptops. BitLocker provides protection against data loss by encrypting the entire disk, thus protecting data from prying eyes.

This is a particularly interesting response in light of the fact that BitLocker is only available via Microsoft's Software Assurance (SA) program aimed at large enterprises and the Ultimate version. Ultimate carries a pricing premium of 66% over the Home Premium version, includes every option of both home and business versions and is not targeted at typical home or SMB users. This means that small businesses and home users of Vista won't get the benefit of BitLocker's protection. If Steve Ballmer says it is hugely important, then why is Microsoft excluding so many of its clients from one of the major security functions on Vista?

Are there pieces missing which would be required for the tool to work with home or small and midsize business users (such as Web-based key recovery), or is it part of Microsoft's attempt to sell up to SA across the board, locking more users in for the long term?

Submit a Comment | Permalink

I don't think BitLocker will ever be widely used for Full Disk Encryption (FDE). Reasons:
1) Vista Ultimate edition is pricey;
2) Vista runs only on newer desktops;
3) The other FDE solutions (http://www.full-disk-encryp...) are inexpensive and support multiple platform, OS and can run on older hardware.
4) In future all laptops will probably include Seagate's Momemtus FDE.2 drive, which performs encryption using hardware on the HDD, thus no impact to the CPU. (http://www.seagate.com/www/...)

Hi :) I think we need some history on TPM 1.2 spec (Trusted Protection Module) to better understand what Vista BitLocker Drive encryption does. Without a chip or module and enhanced bios physically in or attached to your computer- the Vista BitLocker security feature does not provide enhanced security with disk encryption. TPM modules and the specs have been available for quite some time. TPM 1.2 needs to be ordered as a component of a server, desktop or laptop computer. These computers physically have a security chip installed on the motherboard to work with a modified version of the bios.
I would recommend TPM- compliant computers in situations where the value of the contents of the hard drive was significant- intrinsic or strategic. For example, a law enforcement investigator with open case files, an engineer working on secret formulas or plans, a manager with next months adverting campaigns and product costing, a case worker with confidential Client files, etc. Most of these people could be working in the field or travel extensively increasing the risk their laptop could be stolen or lost.
The intent of Microsoft is to incorporate BitLocker drive encryption into machines that are suitably equipped is to “ensures that data stored on a computer running Windows Vista remains encrypted even if the computer is tampered with when the operating system is not running". So really is it a big deal for the masses? No. It is for organizations that really need enhanced security at the cost of system performance. The more sophisticated the encryption scheme, the slower the drive(s) are.
I have tried a number of software implementations and prefer a product called TurboCrypt - http://www.asystematics.com... for its range of strengths and consistency across platforms (with or without TPM).
As a caution, deciding to implement an encryption strategy should not be taken lightly. There are serious consequences if it is not done properly. Being completely locked out of your own data is a situation that is extremely expensive to recover from. On the other hand- so is having a competitor with a copy of your strategic plan for the next twelve months. ATB

Another note on Bitlocker is the requirement for both TPM 1.2 chip & a USB flash drive that is recognized when booting up Vista. The necessary data is encrypted on the flash drive to reduce security concerns and will only work on the designated computer system. On the downside, it is a fact that these small USB flash drives can easily be misplaced and can be subject to damage. I am not sure if I am comfortible with this situation from a control standpoint, unless the drives with the keys are locked down, signed in/out,etc. It appears the last author was also on site at http://www.vista-security.info where there is some more info on BitLocker. To me, BitLocker seems to be more of stop gap measure for Microsoft to say "...at least we have something". I am skeptical about whethter this scheme will be very effective & potentially damaging in other than very small networks or for laptop use. Too bad it is a half measure again

One reason BitLocker has not been made available to every version of Vista is that it is not necessary in the vast majority of situations. Full disk encryption with integrity checking prevents thieves from booting another operating system or running a software hacking tool to break Vista file system protections.
It is more suitable for situation where organizations need to protect their most valuable data from falling into unfriendly hands (legally, morally or for competitive reasons).
It can be used in conjunction with a Trusted Platform Module (TPM 1.2) installed in a laptop to help ensure that a Windows Vista system has not been tampered with offline. It will provide mobile and office workers with a more secure form of data protection when a unit becomes lost or stolen or for data destruction when it is decommissioned. Real life situation can include manufacturers of industrial explosives, evidence used by detectives and confidential patient files carried by public health care workers.
There are a few other alternatives on http://www.asystematics.com geared to guarding privacy. One major problem that we see often is Windows inability to completely destroy records, internet activity, e-mails, etc. even after it is sent to the recycle bin or deleted. There is readily available software to recover data from magnetic drives that from the user's perspective do not exist since their whereabouts are hidden by Windows. BitLocker's main focus is data protection and not, data destruction.

IMO it's as appropriate to restrict Bitlocker to pro-IT Vista as it is to restrict EFS to XP Pro, and for the same reason.

These are not win-win goodies; they are strong trade-offs, and the downside is potentially being locked out of your material, or (Bitlocker) being unable to manage malware without having to run the infected installation's code.